Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] Security announcements
  • From: cogNiTioN <cognition@xxxxxxxxxxx>
  • Date: Sun, 5 Mar 2000 14:07:39 +0000 (GMT)
  • Message-id: <Pine.LNX.4.10.10003051349330.3066-100000@xxxxxxxxxxxxxxxxx>
On Sat, 4 Mar 2000, John Grant wrote:
> Jussi Laako said:
> > Rune Kristian Viken wrote:
> > > vulnerability. The only responsible thing to do, is to publish the
> > > exploit to as many security-mailinglists as possible, and let admins
> > > disable the buggy service.
> >
> > After that it's race against time from sysadmin's point of view. Is admin
> > fast enough to disable that service before someone breaks in? If only few
> > peoples know about security vulnerability it's less likely that someone uses
> > it in your system. If every script kiddie knows about it, then it's much
> > more likely...

Isn't it the SysAdmin's job (among others) to be quick in responding to
security announcements?

> > How many people sit 24/7 reading security mailinglists?

So what's the option? Only release security announcements during working
hours? Working hours in which time zone? A report released at 5pm
Friday, may not be read until 9am Monday (or Tues if it happens to be a
bank holiday) the next week. Are those who do keep up with their mail ment
to be left open to attacks because some people may not read their mail for
a few days?

What about those people who admin their servers in their free time? I do
most of my admin work between the hours of 10pm and 2am.

One of the asumptions that has to be made (and I'd feel justified in
making this assumption) is that people who are involved in security are
aware of how time critical some things are, and will take the required
steps to ensure they're server is not unprotected longer than they deem
acceptable.

> No SA worth the title would need to take that much time to keep up.
> Besides, that's like asking, "what if the night-watchman falls asleep?".
>
> > What if sysadmin is at weekend trip with his sailing boat?

I have all urgent mail (inc. some security reports) routed to my Mobile
phone (via procmail and an SMS filter thing), I can't be the only person
who has done that. It has been known for me to fix problems with a mail
server, over SMS, while I've been at college, in a maths tute. Just
because an admin isn't at a terminal, doesn't mean they can't do anything
about it. Even while I was out of the country I recieved status reports on
my servers, and if a security report had been released, I'd have received
it and either found an internet cafe, or mailed the other admin and asked
him to fix it. Security isn't a 9 'til 5 job.

> If the night-watchman takes the weekend off then you get someone to take
> his place. Or you do without, make sure you lock the doors as best you
> can, and take your chances.

Well said.

/cog


< Previous Next >
List Navigation
References